EP0012974A1 - Method for enciphering data blocks of a given length - Google Patents

Abstract

The process works controlled by a key and with concatenation. It also takes into account the possibility of the appearance of shorter blocks, which previously could endanger data security. At the beginning of the encryption process, a previous chaining word V is presupposed and it is determined whether a new data block X is shorter. If it is full length, then V and X are linked in a reversible EXCLUSIVE-OR function, the product is encrypted, the ciphertext Y is simultaneously saved as a new concatenation word V 'for the next process. If the data block X is shorter, the chaining word V is first encrypted, the cipher result W is linked with X in a reversible EXCLUSIVE-OR function and a short cipher block Y is output. The new concatenation word V 'becomes an expression in a register which comprises the full ciphertext Y on the right and the leftmost parts of the preceding concatenation word V up to the predetermined length.

Description

The present invention belongs in the field of cryptography and especially in the field of key-controlled block encryption methods. Such procedures are usually judged to be very safe. If the key is only known to the sender and the authorized recipient of the message, then using known technology it is not actually possible for an opponent to break through such demanding procedures, i.e. the encryption key cannot be determined and therefore the message cannot be decrypted.

With a view to the enactment of new data protection laws, the American office (NBS) has adopted a standard for the protection of the EDP, whose technical description in January 1977 under the title "Data Encryption Standard", FIPS No. 46 of the NBS, U.S. Department of Commerce. In American Patent No. 3,958,081 a device is described which corresponds to this standard.

A problem with block encryption methods is that any given data block X is converted into a block Y for output. This happens so that the same X blocks appear in the output as the same Y blocks if the same key has been used. Opinions as to whether this is a weakness of the cryptographic algorithm are unknown. each other. However, it appears desirable to avoid such weaknesses by using different chaining techniques. One of them has the consequence that a previous plain text or cipher text is entered with the new data to be ciphered in order to change the product of the ciphering process. Such a process is described in US Pat. 4,078,152, which will be discussed later.

In the process of the latter patent, the ciphertext blocks are absolutely dependent on the preceding text, sometimes on a lot of text, with regard to security. Indeed. however, the dependency on cipher text is low, so as not to make deciphering more difficult and to limit the spread of errors. The result is anything but ideal in the case of a data block that follows one or more short, strung blocks in a message to be encrypted. The present invention is therefore intended to provide a significantly improved method over that of U.S. Patent No. 4.087.152 for processing short data blocks, whereby security and error correction in this case can be achieved similarly to that of successive full data blocks.

When using a block encryption method, plain text blocks of a defined length L ^(f) , for example 8 bytes called full blocks, are generally accepted and corresponding ciphertext blocks of the same length are formed. If short blocks of different lengths L ^(s) <L ^(f) occur in plain text, a different ciphering procedure is necessary, especially if the ciphertext is to be as long as the plaintext, ie if the short blocks are not too full Size to be inflated. Obviously, the security of the process and the possibility of error correction should be the same as that of the original process. When concatenated according to U.S. Patent No. 4,078,152, that block is encrypted with the aid of the last preceding output block W of the encryption device, depending on whether the block currently to be processed is full length or shorter. This output block W can either be the full ciphertext block just preceding, or the ciphertext product of the just preceding output block which was used to encrypt a preceding short block. Its deciphering would then result in the associated inversion.

This method has the advantage that the resulting ciphertext block usually implicitly depends on some or a lot of previous text, the amount of which is determined by the last new beginning of the chaining process, as well as the key, which gives the method security. Above all, the dependence on the key and on a small ciphertext set, namely on the next previous full ciphertext block, if available, or on an initial concatenation word is clearly recognizable. These clear dependencies enable an authorized recipient who knows the key to easily decipher. The requirement for permanently available storage space is low and in most cases the ciphertext can be easily corrected or the spread of errors is limited. A single error when encrypting or transmitting the ciphertext usually only continues over a fixed distance, which corresponds approximately to the length of two-full blocks L ^(f) .

However, this method has the following disadvantage. If there is a series of short blocks at the beginning, e.g. a series of short records without each full block, which is not common but possible, then the material that is used together with the plain text for encryption depends only on the encryption key and the algorithm used. It is independent of a previous text and two or more such ciphertext strings produced with the same key could be analyzed and deciphered using known methods. In general, a similar intrusion is possible in the unlikely event that the same key is used to encrypt two or more plain texts that are identical in the sequence and length of their blocks and whose texts match in the full blocks, even if this applies to the texts of the short blocks is not necessarily true. If there is always a sequence of short blocks, with or without previous full blocks, then the deciphering of the following full or short block is clearly partially dependent on the last full block of ciphertext, which may be as far back as possible, so that errors can spread indefinitely.

The present invention is intended over the cited U.S. Patent No. 4.078.152 show a better method for encrypting / decrypting data blocks that follow short blocks. In these methods of the type of key-controlled block encryption methods, the new concatenation word, which occurs after the occurrence of a short block in the context of the Cipher algorithm used to encrypt the subsequent block is derived in a new way. In all other respects, the present process is carried out like that in the cited patent. From the description that follows, it can be seen that the device presented here is in fact against a part of the device described in US Pat. 4.078.152 described device can be replaced.

Further block encryption methods are also described in US Patents 3,798,359, 3,796,830 and 3,958,081, which also deal with data security and show sophisticated facilities. The last patent has already been mentioned in connection with data protection standards. Compliance with these standards is also assumed in the present case. So the length of each block of text that is processed is 64 bits, e.g. 8 bytes of 8 bits each. However, the method can also be used if other data block lengths were specified.

eingesetzt wird, unabhängig davon wie lange (L^(f) oder L^(s)) der nächste zu chiffrierende Datenblock X _i+1 ist.The present invention therefore relates to a method for encrypting data blocks X of a predetermined length L as a function of an encryption key, in order to form encrypted blocks Y with the same length L ^(f) for output, combined with concatenation during the encryption of input data blocks of length L ^{(s )} , which is shorter than L ^(f) , in order to form short encrypted blocks Y ^(s) for - the output with the same length L ^(s) . It is characterized in that the entry of a short data block X _i of length L ^{(s) is} determined as Linking word V _{i of} the current encryption step uses the last available product V _{i-1 of} the encryption process in full block length L ( ^f ) without taking into account the length of the last output encrypted block Y _i-1 , that said chaining word V _{i is} encrypted, further that a part L ^{(s) of} the entire encrypted concatenation word W _{i is combined} by a mathematically reversible function with the short data block X. and the combination is used as the encrypted output Y _{i of} the short data block and finally the combination of the length L ^(s) as Latest component of the concatenation word to be used in the next encryption process

is used, regardless of how long (L ^(f) or L ^(s) ) the next data block X _{i + 1} to be encrypted is.

verbunden wird, welch letzteres beim nächsten Chiffriervorqanq benötiqt wird, und dass die qenannte Verbindunq durch Ausmerzen der n ältesten Bvtes im zuletzt benutzten Verkettungswort V_i beim Einschieben des Chiffreblocks Y_i bewirkt wird. Diese letzte Ausführunq ist beim Beqinn der Chiffrieroperationen ausserdem dadurch gekennzeichnet, dass ein vorgegebenes Erstverkettungswort (ICV) benutzt wird.However, the inventive method can also be characterized in that the encrypted chaining word W _i and the short data block X _i entered are supplied with an EXCLUSIVE-OR operation to form the combination mentioned. According to a further embodiment, the method is also characterized in that the cipher block Y _i currently appearing in the output and having a length of n bytes has the cipher text Y _i-1 that appeared previously in order to form a new concatenation word

is connected, the latter being required for the next cipher, and that the named connection is effected by eradicating the n oldest bvtes in the chaining word V _i last used when inserting the cipher block Y _i . This last execution is also at the beginning of the encryption operations characterized that a predefined first chaining word (ICV) is used.

• Fign. lA - lE Blockdiagramme in vereinfachter Form zur Erläuterung des erfinderischen Verfahrens,
• Fig. 2 die Anordnung der Fign. 2A und 2B,
• Fign. 2A + 2B ein Flussdiagramm, das den Ablauf des erfinderischen Verfahrens darstellt,
• Fig. 3 die Zusammensetzung der Fign. 3A,B,C und
• Fign. 3A,B u.C eine Logikschaltung, dargestellt in Funktionsblöcken einer bevorzugten Ausführung zur Anwendung des erfinderischen Verfahrens.

When shorter data blocks occur, the inventive method results in higher data security thanks to the novel chaining, which is equivalent to that when processing the blocks with full length. At the same time, however, the spread of errors is also limited, with an error that loses its influence after a data length of two full blocks. The invention will now be described in detail with reference to the accompanying drawings. Show it:

• Fig. 1A - 1E block diagrams in simplified form to explain the inventive method,
• Fig. 2 shows the arrangement of Figs. 2A and 2B,
• Fig. 2A + 2B is a flowchart illustrating the sequence of the inventive method,
• 3 shows the composition of FIGS. 3A, B, C and
• Fig. 3A, B uC a logic circuit, represented in functional blocks of a preferred embodiment for applying the inventive method.

zu bilden, das anschliessend als "laufendes" Verkettungswort V_i+1 beim Chiffrieren des nächstfolgenden vollen oder kurzen Datenblocks X_i+1 benutzt wird.The present method can be viewed as an amendment to the key-controlled block encryption method described in U.S. Patent No. 4,078,152. The change affects the _C hiffrierung or decryption of a short data block X _i and defines a new and substantially different type a new chaining word

form, which is then used as a "running" concatenation word V _{i + 1} when encrypting the next full or short data block X _{i + 1} .

, das als Folge der Chiffrierung des kurzen Klartextblockes X. der Länge L_i ^(s) gebildet wurde, als der letzte ausgegebene volle Block W_i des Blockchiffrierverfahrens definiert. Sein Anfangsteil der Länge L_i ^(s) wurde durch eine umkehrbare Operation (z.B. über ein EXKLUSIV-ODER) mit dem Block X_i zur Bildung des Chiffreblocks Y. kombiniert. Im vorliegenden Verfahren wird jedoch unter sonst gleichen Umständen das neue Verkettungswort

als die letzte volle Blocklänge der Verkettung V_i//Y_i des alten Verkettungswortes V_i mit dem neuen Chiffreblock Y_i definiert, wobei letzterer im genannten Patent genau erläutert ist.In the aforementioned patent was the new concatenation word

, which was formed as a result of the encryption of the short plain text block X. of length L _i ^(s) , as the last full block W _{i of} the block encryption method that is output. Its initial part of the length L _i ^(s) was combined with the block X _i by a reversible operation (for example via an EXCLUSIVE OR) to form the cipher block Y. In the present procedure, however, the new chaining word is used under otherwise identical circumstances

defined as the last full block length of the concatenation V _i // Y _{i of} the old concatenation word V _i with the new cipher block Y _i , the latter being explained in detail in the cited patent.

gleich dem vollen Block Y_i des neuen Chiffretext. Diese Definition des Ausdrucks

beim Auftreten eines vollen Datenblocks X. wird für das vorliegende Verfahren nicht geändert. Aber sie kann jener Definition von

als aequivalent betrachtet werden, die besagt:

ist gleich der letzten vollen Blocklänge der Verkettung V_i//Y_i.Im besagten Patent, ergänzt durch die vorliegende Erfindung, ist also das während der Chiffrierung des Blockes X_i(voll oder kurz)erzeugte neue Verkettungswort

jederzeit gleich der letzten vollen Blocklänge der Verkettung V_i//Y_i (des alten Verkettungswortes mit dem soeben erzeugten Chiffretext Y.). Dies gilt unabhängig davon, ob X_i und auch Y_i ein voller oder ein kurzer Textblock ist.If a full block X. is available in plain text, then according to the cited patent was the new concatenation word

equal to the full block Y _{i of} the new ciphertext. This definition of the expression

when a full data block X. occurs, no change is made for the present method. But it can meet that definition of

be considered equivalent, which says:

is equal to the last full block length of the concatenation V _i // Y _i . In the said patent, supplemented by the present invention, is therefore the new concatenation word generated (full or short) during the encryption of the block X _i

at any time equal to the last full block length of the concatenation V _i // Y _i (the old concatenation word with the cipher text Y. just created). This applies regardless of whether X _i and Y _{i is} a full or a short text block.

gleich der Verkettung des letzten (L^(f) - L⁽ⁱ⁾) - langen Teils von V₁ mit Y⁽ⁱ⁾. Die klar ersichtliche Folge davon ist: die Dechiffrierung eines vorliegenden Blocks Chiffretext ist zuerst gerade von diesen Block abhängig, dann von der unmittelbar vorausgegangenen vollen Blocklänge an Chiffretext und schliesslich vom Schlüssel. Der Einfluss eines Fehlers im Chiffretext erstreckt sich daher höchstens auf zwei volle Blocklängen dechiffrierten Klartext.From the definition just shown, it can be seen that V _{i is} as good as the last full block length of the chain V ₁ // Y ₁ // Y ₂ //...//Y _i-1 // Y _i = V ₁ // Y ^{(i) of} the first concatenation word V ₁ (at the beginning of the concatenation) with the ciphertext Y ⁽ⁱ⁾ = Y _{l //} Y ₂ //...//Y _i-1 // Y _i , insofar as it has been generated so far , can be defined. In fact, this is usually true except in cases where the length L ⁽ⁱ⁾ of Y ^{(i) is} less than the length L ^{(f) of} a full block. Then

equal to the concatenation of the last (L ^(f) - L ⁽ⁱ⁾ ) - long part of V ₁ with Y ⁽ⁱ⁾ . The obvious consequence of this is that the decryption of a block of ciphertext depends on this block, then on the immediately preceding full block length of ciphertext and finally on the key. The influence of an error in the ciphertext therefore extends to a maximum of two full block lengths of deciphered plaintext.

In order to carry out the concatenation just mentioned, if a full block length of cipher text has not yet been generated, the method tacitly assumes that the present cipher text is preceded by a full block length of data V ₁ = Kl, which are fixed or variable. These are referred to as the first concatenation word, which both the cipher and is also known to the legitimate deciphering officer. The first concatenation word in the present case is the same as in US Pat. 4,078,152 used.

In order to limit the spread of errors when encrypting a full block and at the same time to standardize the procedure for full and short data blocks, the method described here uses the full data block length, which before entering a block cipher device e.g. To be combined via an EXCLUSIVE-OR link with a full block of plain text, the previous ciphertext in full block length. This also applies in the cited US patent if the immediately preceding block of plain text is a full block, but not if the previous block of plain text is a short block.

The short and long data block concatenation method according to the present invention uses a running concatenation word that is always defined as the immediately preceding full-block length ciphertext L ( ^f ). This method requires that the first text in full block length is preceded by a first concatenation word Kl, which, as already mentioned, must be a data block on which the users of the method have previously agreed. The provision of a first concatenation word seems self-evident, but it is explained in detail in US Pat. No. 4,078,152. If the current plaintext block is a full block, it is combined with the current concatenation word by means of a reversible function, such as an EXCLUSIVE-OR. The result Tat is then encrypted according to blocks using a block cipher device that is included in the system and controlled by a key. The result of the whole process is the creation of a full block of new ciphertext. However, if the current plaintext block is short, ie L ( ^s ) <L ^(f) , the current chaining word is block-encrypted in the device. The result of this ciphering is combined with the plaintext via an EXCLUSIVE-OR link as far as necessary (L ^(s) ) in order to obtain an equally long (L (s) new ciphertext.

The meaning of the term "concatenation word" is mentioned in the aforementioned US Pat. 4,078,152 and the same in the present procedure. However, the derivation of the concatenation word has been changed significantly in the present invention. If, in the patent mentioned, the concatenation word has not been renewed and it is therefore a concatenation of sentences, the current concatenation word used after n short blocks, regardless of how many in series, is always the result of the n-fold block ciphering on the last preceding one full block Y ciphertext since the last new start of the encryption process. Instead, it can be the result of the n-fold block encryption of the first chaining word K1 if there is no full block. With this n-fold block cipher, the result obtained is entered again after the first pass until n passes have been carried out. In the present method, however, the current concatenation word consists of the last full block length of ciphertext, whereby one has to imagine that the first concatenation is still in front of it word stands. It does not matter whether the ciphertext resulted from a ciphering process with a full or a short block. If there were never more than a short block at the end of a sentence and there was no sentence chaining, then the stream of ciphertext would be generated according to the present method and that according to the aforementioned U.S. patent. However, if there are two or more short, consecutive blocks with sentence chaining, or if there is a short block in the middle of an entire sentence, then the ciphertext generated by both methods differs markedly from one another.

Darin bedeutet $ einen umkehrbaren Vorgang wie eine EXKLUSIV-ODER-Verknüpfung,LEFTLX (...) den äussersten linken Teil der Reine .... mit Länge X, V//Y die Verkettung der Reihen V mit Y und RIGHTFB (....) den am weitesten rechts liegenden Teil einer Reihe ... mit voller Blocklänge.If the block encryption process is formally represented as f (K, ..), e.g. output = f (K, input), where K is the key, and if V is the current concatenation word, X the current plaintext block, Y the resulting ciphertext block and V '' the new chaining word is as soon as V begins with an agreed first chaining word, the new procedure for defining successive Y and V 'can be represented as follows:

In this $ means a reversible process like an EXCLUSIVE-OR operation, LEFTLX (...) the extreme left part of the pure ... with length X, V // Y the concatenation of the rows V with Y and RIGHTFB (.. ..) the on rightmost part of a row ... with full block length.

The chaining method described in this way becomes somewhat clearer through the representation of FIGS. 1A to 1D. These are functional blocks of a higher level and data flow diagrams which explain the basic sequence of the inventive method. 1A and 1B show the data flow in the normal case with a full data block, ie a block of length L ^(f) = 8 bytes. In all figures, the character π ^{± 1 means} a key-controlled block encryption method, such as, for example, the aforementioned FIPS standard method for data encryption by the American Standards Office (NBS). The upper index +1 means encryption, -1 decryption. These terms have also been used in said U.S. patent. It is sufficient according to the patented and the present method if the π block input / output register 50 from Fiq. 3B, a data block for encryption or decryption, as well as a special key and suitable control signals are entered. The result then appears in the same register 50. FIGS. 1A and 1B are flowcharts showing the encryption and decryption of a full data block, as was already the case in US Pat. 4,078,152. In Fig. 1A, a full block X plaintext to be encrypted passes through the EXCLUSIVE-OR (EX-O) together with the current concatenation word V. The output signals-of the EX-O are fed to a π ⁺¹ box and this results in the cipher block Y , which also represents the new chaining word V 'of this process. The latter will to the current chaining word V for the next data block.

In Fig. 1B, this process is functionally reversed for decryption. A full block of Y cipher text passes through the π ^-1 box for decryption and is at the same time a new concatenation word V for the next data block to be decrypted. The output of the π ^-1 box becomes one input of the EX-O link, the other input of which accepts the current chaining word. The full, deciphered plain text block X appears at the exit of the EX-O box.

1C shows the concatenation of a short block for the purposes of encryption, and the process for the purpose of deciphering in FIG. 1D. Obviously, deciphering is the mathematical inversion of ciphering. It should be noted that in all figures 1C, 1D and 1E the length of each block X is equal to the length of the corresponding Y and that this is always shorter than a full block of 8 bytes. To avoid confusion, the upper index (s) will no longer be used in this description. In Fig. 1C, the current chaining word V is first fed to the π ⁺¹ box for encryption and simultaneously entered into a chaining register. The plain text block X is linked via EX-O to the output W of the π box to form the cipher block Y.

The short block of encrypted data Y is also shifted into the chaining register and this register becomes the rightmost one Bytes taken from a full block length and made the new concatenation word V '. For this process it is sufficient if the chaining register can only hold just as many bytes corresponding to a full block length. If the new cipher block Y is inserted, an equal number of the leftmost, ie oldest, bytes are shifted out and are lost. The remaining content of the chaining register will thus be the new chaining word V '. It must be noted that the new concatenation word V 'always includes all bytes of the generated block Y and as many of the rightmost bytes of the current concatenation word V as it takes to fill a full block length. This new chaining word is required for the subsequent operation, regardless of whether the next block that occurs is a full block or a short block again. The position when successive short blocks occur is shown in FIG. 1E and will be explained later. The decryption process of FIG. 1D is the mathematical inversion of the encryption in FIG. 1C, with the π box operating in the encryption mode in both cases.

W, wobei es eine Inversion logischen Verknüpfung

nämlich

gibt,

der Vorgang X = Y

W für die Dechiffrierungbenutzt werden. Es ist zu bemerken, dass

rung und Dechiffrierung eines kurzen

ein Chiffriervorgang im Blockchiffriergerät ausgeführt wird, wie dies auch im erwähnten US.-Patent geschieht. Dies ist notwendig, um sicherzustellen, dass sowohl für Chiffrierung als auch für Dechiffrierung dieselbe Grösse W zur Verfügung steht. Bei der Dechiffrierung erhält das Verkettungsregister das laufende Verkettungswort V und den derzeit vorliegenden Chiffreblock Y, die gemäss der Beschreibung von Fig. 1C verkettet werden und das neue Verkettungswort V' ergeben.The main difference in FIGS. 1C and 1D is the swapping of the role of the short block X with that of the corresponding short block Y in terms of input and output, since the effect of an EXCLUSIVE OR represents its own inversion (antivalence). The effect of the link in FIG. 1C is Y = X (EX-O) W, where W corresponds to the output of the π box, or more precisely, an initial part of the same length as X. The effect of the link in Fig. 1D is X = Y (EX-O) W = Y (EX-O) ¹ W. The latter is the inverse 1C and generates the short, decrypted block X. If another function is used for the encryption of a short block X instead of EX-0, for example _Y = X

W, where there is an inversion logical link

namely

gives,

the process X = Y

W can be used for decryption. It should be noted that

encoding and decoding a short

an encryption process is carried out in the block cipher device, as is also done in the US patent mentioned. This is necessary to ensure that the same size W is available for both encryption and decryption. During the deciphering, the concatenation register receives the current concatenation word V and the currently available cipher block Y, which are concatenated as described in FIG. 1C and give the new concatenation word V '.

If X and Y are the corresponding clear and ciphertext of short block length, then the identical new chaining word V 'is formed from V when encrypting X. This is necessary for the successful decoding of subsequent blocks.

FIG. 1E now shows an example for the encryption of three short blocks X ₁ , X ₂ and X3 which follow _one another from a data flow. It is assumed that a current chaining word V ₁ is suitably stored in the chaining register. The latter can also be an initial chaining word (ICV) if these short blocks are the first data of a new transmission, a file, or a data record are without sentence chaining, which must be encrypted by the facility. The three processes are separated by two vertical, dashed lines, and each part comprises the same logic circuit blocks of the diagram of Fig. 1C. The three short blocks X ₁ , X ₂ and X ₃ are assumed to be 3, 4 and 3 bytes in length.

In all three stages, the corresponding current chaining word V ₁ , V ₂ or ^V _{3 is} fed to the π box. The outputs W ₁ , W ₂ and W _{3 of} the relevant π box are linked in an EX-O with the associated plain text block X ₁ , X ₂ and X ₃ , respectively, and the three cipher blocks Y ₁ , Y ₂ and Y _{3 are} generated in this way . It is easy to determine that only as many bytes of the output of the π box in question are used as are necessary to generate a ciphertext of the same length as the input text. In the first stage, Y _{1 has} a length of 3 bytes.

eingeschlossen sind, können hinausgeschoben und fallen gelassen werden, wenn der Chiffretext Y₁ hineingeschoben wird.The formation of the new concatenation words in each stage should now be considered. In stage 1, Y _{1 is} concatenated with the current concatenation word V ₁ , as can be seen from the enlarged representation of the concatenation register and its content at the bottom of the figure. This creates a new chaining word Vi with 8 bytes, which comprises the 3 bytes of Y ₁ on the right and 5 of the bytes on the right in V ₁ on the left. As shown, Vi now becomes the current concatenation word V ₂ for the second stage. As noted earlier, the concatenation register need only be the length of a full block. The parts of the content shown that are not in the new concatenation word

are included can be pushed out and dropped if the ciphertext Y _{1 is} pushed in.

besteht also aus 4 Bytes von Y₂ und den 4 am weitesten rechts stehenden Bytes von V₂. Diese letzteren umfassen 3 Bytes von Y₁ und ein Byte des Verkettungswortes V₁.Likewise, the current concatenation word V ₂ arrives in the n-box and also in the concatenation register. The latter then receives the new short cipher block Y ₂ , which comprises 4 bytes. This is shown at the bottom of the second stage. The new concatenation word

consists of 4 bytes of Y ₂ and the 4 rightmost bytes of V ₂ . The latter comprise 3 bytes of Y ₁ and one byte of the concatenation word V ₁ .

besteht aus den 3 Bytes von Y₃ und den 5 am weitesten rechts stehenden Bytes von V₃. In diesem Zeitpunkt umfasst nun das neue Verkettungswort

, das zum laufenden Verkettungswort V₄ für die nächste Operation wird, nur noch Chiffretext. Dies sind die 3 Bytes von Y₃, die 4 Bytes von Y₂ und das letzte Byte rechts von Y₁. Es ist offensichtlich, das sich das Verkettungswort ständig ändert, unabhängig davon, wieviele kurze Blöcke in einer Reihe sich folgen. Hätte ein vierter Datenblock die volle Länge von 8 Bytes, dann würde V₄ als laufendes Verkettungswort eines Chiffriervorganges für volle Blöcke eingesetzt, wie dies Fig. 1A entspricht.In the third stage, the current chaining word V ₃ arrives in the n-box and in the chaining register. In the latter, it is combined with the short cipher block Y ₃ . The new concatenation word

consists of the 3 bytes of Y ₃ and the 5 rightmost bytes of V ₃ . At this point, the new chaining word now includes

, which becomes the current chaining word V ₄ for the next operation, only ciphertext. These are the 3 bytes of Y ₃ , the 4 bytes of Y ₂ and the last byte to the right of Y ₁ . It is obvious that the concatenation word changes constantly, regardless of how many short blocks in a row follow one another. If a fourth data block had the full length of 8 bytes, V ₄ would be used as the current chaining word of an encryption process for full blocks, as corresponds to FIG. 1A.

After describing the working concept of the present improved short block concatenation method, the description now follows special circuit arrangement, which serves the practice of the inventive method. The figures 2A and 2B show a flow diagram of the operations required in the circuitry of FIGS. 3A-3C. Before further explanation, however, the connection of the present invention with that described in US Pat. 4.078.152 is to be clearly defined again. The invention now to be discussed, namely an encryption and concatenation method for short data blocks, is a supplementary improvement of the method in the patent mentioned. As a result, the whole process operates as described in this patent until a short block of data occurs. In this point, the current, modified circuit arrangement controls the processes in the system. FIG. 1D of the named patent can be exactly replaced by FIGS. 2A and 2B of the present description of the invention.

Three registers, among others, of the function blocks can be found both in the mentioned patent and in the present circuit arrangement: the input register 10 (IN REG.) For input data, the old register 12 (OLD REG.) For the chaining word and the output register 14 (OUT REG .) for output data. The device works in exactly the same way up to and with box 35 of the flow chart, except that box 34 has been omitted. Boxes 100-108 replace the former box 36 and after leaving box 108 according to the present arrangement is reconnected to box 37, the operations being the same as before. Additional circuit elements in FIGS. 3A, 3B and 3C with respect to the corresponding figures in said US Pat. Are the EXCLUSIVE-OR-link EX-03 (Fig. 3A) together with the associated wiring for their connection, the additional input and control devices for the two multiplexers MPX2 and MPX3. One data input of the EX-03 comes from the input register and the other from the r-block I / O register 50. The output of the EX-03 is fed to the MPX2 on the one hand and forms the new input no. 4, on the other hand the MPX3 as new input No. 2. An additional control line must therefore be supplied for each MPX2 and MPX3.

To carry out the present inventive method for the concatenation of short blocks, the EX-O function of the short blocks X and Y with the block cipher product W of the current concatenation word V is exercised in the switching block EX-03 rather than in EX-02 according to US Pat. No. . 4,078,152. The purpose of the encryption is to direct the output of EX-03, which represents the short cipher block Y, via MPX2 to the old register 12, in order to take the place there in the new concatenation word V '. The old register 12 serves both as the chaining register described earlier and as a memory for the corresponding new chaining word, which is then made the current chaining word. Since only the last full block length of the concatenation result is stored as V ', it is sufficient if the old register has a full block length and the redundant oldest bytes are dropped.

Otherwise the arrangement of the FIGS. 3A-3C of the present invention as those of the ge called patent, which should not be described again. The new sequences of microprograms would also be stored in the residual value memory 24 (ROM) in order to control the necessary shifting, switching, testing, branching, etc. functions, as is done in the patent mentioned. Therefore, the output decoder 40, the control switches 42, the input multiplexer 32 and the read-only memory 24 (ROM) and the associated memory address registers 26 (MAR) operate in the same way as before.

At the beginning of the description of the present arrangement it is assumed that the presence of a short block of data has been determined. This short block (plain text or cipher text) is currently in the input register 10. The number n of bytes contained in the short block is immediately stored in the counter 46. Therefore, it can now be assumed that the operation has moved to box 30 of the flowchart in FIG. 2A. As a result, the number n to which the counter 46 has been set is stored in the copy register 48. The method now arrives at box 31, where a decision is made as to whether chaining should be averted or not. In accordance with the intentions of the present invention, this can be answered in the affirmative, and it continues to boxes 32 and 33. Together, they cause the content of the old register 12, which comprises the current concatenation word V, to be cryptographically converted to X on the one hand by the π block and is thus provided in the w-block I / O register 50, but on the other hand is still retained in the old register.

The process of transforming W (TW) according to box 32 is an optional additive for chaining and is described in the mentioned patent. It can be included or omitted here as before. Proceed now to box 35 of the flow chart after box 34, which still exists in the U.S. patent, has been eliminated. Now the n input bytes are shifted to the left by (8 - n) places. As a result, the bytes in the input register 10 are left-justified. It should be remembered here that the registers of the present circuit arrangement are all organized in series by bytes.

The process continues with the decision in box 100, which is the first to replace the previous box 36. The operating control line 7 is queried whether chaining is required. If, as is assumed, chaining is answered in the affirmative, then it proceeds to box 101, where the decision is made as to whether the method operates in the encryption mode or in the decryption mode.

When it comes to encryption, box 102 follows, at which step the future data path is determined. According to the method step in box 105, n shift operations are carried out. The short plain text block X stored in the input register with the beginning part of the block-encrypted expression W, which comes from the current chaining word V and is available in the π block I / O register 50, is entered into an EX-O link. At the same time, the result of this connection, the short Cipher block Y represents, both in the old register 12, for inclusion in the new chaining word V ', as well as in the output register 14 entered. The data flow just described and the associated operations have already been explained in FIG. 1C.

As indicated in box 106, it is checked again and a decision is made as to whether concatenation has been requested. Since this must be affirmed in the present circumstances, the method goes one step further to box 108, the content of the output register 14 being shifted a total of (8-n) times in order to right-justify the short block Y therein. Then it goes to box 37 and the n bytes of Y are output, so that from here on the control according to the repeatedly cited US patent is resumed.

Let's go back to step 101 and assume that decryption is required. Control now passes to box 103, again specifying the data path. This is followed by box 105 and n shift operations are carried out, by means of which the short cipher block Y, which is stored in the input register, with the beginning part of the block cipher expression W originating from the current chaining word V and provided in the w block I / O register in an EX -O is linked. The result of the link is then placed in the output register and at the same time the content of the input register, which contains Y, is transferred to the old register in order to form part of the new chaining word V 'there. The one just described Data flow and the process steps have already been set out in Fig. 1D. The subsequent control process proceeds via the same steps in boxes 106, 108 and 37, which have already been described in connection with the encryption and the concatenation of a short block.

If we start again with the step in box 100, we consider a short block and assume that no chaining is required. If desired, the concatenation according to the cited US patent and the present invention can be avoided. This is followed by the step outlined in box 104. The data path is determined again. According to box 105, n shift operations are carried out, as a result of which the plain text block X or the cipher block Y, which are stored in the input register, are linked with the beginning part of the content in the old register in an EX-0. At this point in time, the old register contains the block cipher printout of a size K2, this printout being supplied during steps 5, 7, 8 and 9 according to FIG. 1A of the cited patent. The result of the EX-O link is transferred to the output register and the content of the old register is returned to it. It is then checked according to box 106 whether chaining is in play. In the present case, it now proceeds to box 107. In this step, the content in the old register is additionally shifted by (8-n) bytes, so that the content is reached again before step 104 in order to prepare for processing further short blocks to meet. Control continues with the steps in boxes 108 and 37, with the short block X or Y is read out and the data flow reaches point C of FIG. 1A of said patent.

After the description of the data flow using the FIGS. 2A and 2B is now to be followed by one on the mode of operation of the circuit arrangement, as is required to carry out the method. 3A - 3C all the necessary details are shown and the workflow can be described by means of the microprogram sequences, the list of which immediately follows. The numbers in brackets on the left of the microprogram list indicate the step in the method according to FIGS. 2A and 2B of the flowchart are each. It should be noted that each numbered step in the microprogram list is to be performed by one or more microinstructions contained in read only memory 24 (ROM). The operation of the control unit including read-only memory 24, output decoder 40, control switch 42, input multiplexer 32 and other associated control elements is described in US Pat. 4.078.152 described in detail. Only so much of the arrangement shown in Figures 3A-3C is specifically described as is necessary to carry out the short block chaining method of the present invention.

MICROPROGRAM LIST

• (100) ADDRESS INPUT MPX LEITG. INPUT TEST MPX IF 1 GO TO (104) IF 0 CONTINUE
• (101) ADDRESS INPUT MPX LEITG. 8 INPUT TEST MPX IF 0 GO TO (103) IF 1 CONTINUE
• (102) ADDRESS MPX3 CABLE 2 ADDRESS MPX2 CABLE 4 SET SR MASK 001111 GO (105A)
• (103) ADDRESS MPX3 CABLE 2 ADDRESS MPX2 CABLE 0 SET SR MASK 001111 GO TO (105A)
• (104) ADDRESS MPX4 CABLE 1 ADDRESS MPX3 CABLE 2 ADDRESS MPX2 CABLE 1 SET SR MASK 001110
• (105A) CHARGE COUNTER 46 SET U / D LEITG. = O ADDRESS INPUT MPX LEITG. 11
• (105B) SR TRANSMIT clock pulse diminish Z _A EHLE _R 46 UM 1 TEST EING.MPX IF 0 go to (105B) 1 CONTINUE IF
• (106) ADDRESS INPUT MPX LEITG. 7 INPUT TEST MPX IF 0 GO TO (108A) IF 1 CONTINUE
• (107A) ADDRESS MPX2 CABLE 1 SET SR MASK 001000 (mC selects ALTREG.) ADDRESS INPUT MPX LEITG. 9 CHARGE COUNTER 46 SET U / D LEITG. = 1
• (107B) SEND SR-TIMER INCREASE COUNTER 46 BY 1 TEST INPUT MPX IF 0 GO TO (107B) IF 1 CONTINUE
• (108A) SET SR MASK 000010 (I choose OUTPUT REG.) ADDRESS INPUT MPX LEITG. 9 CHARGE COUNTER 46 SET U / D LEITG. = 1
• (108B) TRANSMIT SR-CLOCK PULSE INCREASE COUNTER 46 BY 1 TEST INPUT MPX IF 0 GO TO (108B) IF 1 GO TO (37A)

According to the earlier description of Fig. 2, control proceeds from microprogram step (35) in said patent to step (100) of the present description. At this point in time, the input register contains the new short block X or Y for encryption or decryption, the old register contains the current chaining word V and the π block I / O register contains the ciphertext W of the current chaining word V.

In the first step (100), the input multiplexer is caused to address line 7. This line "without chaining" is acted upon (or not) when the method is started. If the operating control is "without chaining", then a logical "1" appears on line 34 after the test carried out in multiplexer 32. This means that a branch address is stored in the memory address register 26 (MAR), which is transferred to the read-only memory 24 (ROM), so that the method now proceeds to step (104). If there is a logical "0" on line 34, which means chaining, then the method proceeds to the next step in the read-only memory, the previous address in the memory address register 26 being increased by 1. If step (101) now follows, however, line 8 is first activated in input multiplexer 32 in order to decide on the encryption or decryption operation. As in step (100), a signal appears on line 34 as a result of this test on line 8. If it has a logical "0", decryption is required and the process continues to step (103). Shows line 34 but a "1", then encryption is required and it continues to step (102).

At step (102), the microinstruction called up in the read-only memory causes 42 cable no. 2 in MPX3 and cable No. 4 can be selected in MPX2. At the same time, the control switch 42 also outputs a shift register (SR) mask with the lineup 001111 via the corresponding cable. This means one input signal each for the lines mC, mD, mE and mF for four of the six AND gates A-0 to A-5 below the output register 14 in FIG. 3C. As a result, the following SR clock pulses are forwarded via lines C, D, E and F, the shift operations in the old register, in the input register, in the output register or in the π-block I / O register being started. When this step is completed, step (105A) is performed.

If branching to step (103) had taken place after step (101), an operation similar to step (102) would have taken place, with the control switch 42 connecting the cable No. 2 from MPX3 and cable No. 0 controlled by MPX2. The SR mask cable now outputs the same signal set-up as in step (102), namely 001111. Therefore, the same registers also receive shift control pulses for carrying out the operations of the flow chart recorded in boxes 102 and 103. In both cases the output register receives the output values of the EX-O function for the content of the input register and the π-block I / O register. But according to box 102, the old register receives the same input signals as the off gear register. In contrast to this, the old register according to box 103, after another cable has been driven by MPX2, receives the content of the input register, as is necessary for decryption and therefore also for the preparation of the old register with a view to integrating Y into the new chaining word V ' is. After step (103) is completed, step (105A) follows.

It is now assumed that the check in step (100) has resulted in "no chaining", so that step (104) follows. The first command in this step causes the control switch 42 to output cable no. l from MPX4, cable no. 2 from MPX3 and cable No. 1 can be controlled by MPX2. 'This selection determines the data path, the content of the input register and that of the old register being fed to the EX-O function. Originally, the old register according to U.S. Patent No. 4,078,152 the cipher print of a size that was stored in the K2 register. The result of the EX-O function is returned to the old register, and the selection of MPX2 means that the previous content of the old register is also saved again in this. The step (104) determines that the cable SR mask also outputs a signal list 001110, which makes the old registers, input registers and output registers receivers of SR clock pulses during step (105).

The step (105A) is carried out in two parts, the part step (105A) providing the control line for execution and the part step (105B) as a control loop enables the successive shifting of the bytes in the respective register. During the shift, the status of the counter 46 is checked at the same time to determine whether the required number of shifts has already taken place. In sub-step (105A), the counter 46 is loaded with the number n, which had previously been entered in the copy register 48. In addition, the U / D control line is set to "0", which leads to a reduction in the counter reading for each incoming pulse CP1. At the same time, line no. 11 of the input multiplexer controlled, whereby a sequence of steps present in the read-only memory (ROM) 24. can check when the counter reading reaches zero. The termination of sub-step (105A) triggers the start of sub-step (105B). The delivery of an SR clock pulse is triggered by the monostable multivibrator (SS) 43 via the SR clock line to all AND gates A-0 to A-5 of FIG. 3C in order to add the registers previously selected by the SR mask irritate. In the step sequences (102), (103) and (104), the special mask signals are selected based on the required operations. The next microinstruction of step (105B) decreases the level in counter 46 over line CP1. Line 11 of the input multiplexer is now checked. When the count has reached zero, this line carries a logical "1", which means that the required number n shift operations have been processed. This would end step (105) and step (106) follows. If the counter reading has not yet reached zero, line 11 is at logic "0" and step (105B) is repeated.

Step (106) queries line 7 of input multiplexer 32 as to whether an operation "without chaining" is in progress. If the line 7 carries a zero, which means chaining, then it proceeds to step (108A). Otherwise, line 7 carries a logic "1" that says "without chaining" and proceeds to step (107A).

Thus, if chaining is not required, the control switches 42 are caused to step the cable No. in step (107A). 1 controlled by the MPX2. The SR mask is set to 001000. As a result, the C sliding line is acted upon and shifting impulses are directed to the old register. At the same time, however, line 9 to input multiplexer 32 is also controlled, and finally the number n is also set in counter 46 and the U / D line is assigned a "1", so that the counter reading increases by each incoming pulse CP1 becomes. This achieves the following: The old register with its control circuits is able to shift its content by 8 bytes within the register and to completely re-enter the previous memory content, as has already been done according to box 104 of the flowchart. The constant stored in the old register has been completely pushed back into its own place in this operating mode. With the counter set to the number n, the level of which increases in each case, a transfer is generated when the value 8 is reached, as explained in the cited patent.

The clock sequence of step (107B) is a control loop that allows the registers to perform shift operations until the number (8-n) is reached. Step (107B) first causes an SR clock pulse to be delivered through the output decoder 40 to the AND gates of FIG. 3C. The pulse finally reaches the old register via line C and triggers a shift operation. At the same time, the level in counter 46 is increased and line 9 is automatically queried in order to find out its state "0" or "1". A zero means that the required number of shift operations has not yet been performed. The process then begins again at the beginning of step (107B). A one, on the other hand, means that one can now proceed to step (108) and start with (108A).

According to box 108, the n bytes of cipher text Y or plain text X just set up are now right-justified in the old register according to (8 - n) positions. This begins with the signal switches 000010 being emitted by the control switches 42 via the SR mask line. This prepares the E line that triggers shift operations in the output register as soon as it receives a pulse from the SR clock line during substep (108B). It is not necessary to select one of the multiplexers 1-4, since this is only a shift operation in a register. But since (8 - n) has to be shifted, line 9 of input multiplexer 32 is driven and number n is set in counter 46. At the same time the U / D line is set to logic "1" so that the counter reading can be increased. It continues with the sub-step (108B), which represents a loop for shifting operations such as steps (107B), (105B), etc. An SR clock pulse is now output by the output decoder 40, which is sent to the AND gate A-0 arrives and triggers a 1-byte shift operation in the output register. The level in counter 46 is increased and the status of line 9 to input multiplexer 32 is queried. If the latter is "0", which means that there have not yet been enough shift operations to generate a transfer, the process sequence begins again at step (108B). However, if there is a "1" on line 9, the method continues at step (37A) according to said patent, the n bytes of the short block provided by the method being output from the output register. The special operations in box 37 are the same as in box 108, except that after entering number n in counter 46, line 11 is queried instead of line 9 and the U / D line is set to "0", which is why the counter reading is reduced in each case. For a special description of this, reference is again made to US Pat. 4,078,152, whose procedure is now fully taken over by the further control.

It should be remembered that at this point in time the old register 12 contains a new "running" concatenation word that can be used in the further process, regardless of whether a "block end", a short block or a full block is next in the data stream Block occurs. This concatenation word located in the old register thus represents the last 8 bytes of an encrypted text Y, which the device has produced when at least 8 bytes have been processed. Otherwise, it is less than 8 bytes of processed cipher text, preceded by enough last bytes of the first concatenation word to reach the total of 8 bytes.

This concludes the description of the circuit arrangement for executing the inventive method. Changes are obviously conceivable without deviating from the concept of the invention if, for example, other data formats are used or special symbols for marking or separating short data blocks are introduced.

The inventive method for encryption and chaining of data, or their decryption, explained here when shorter blocks than usual occur can be used in any block cipher system, and especially where high data security is required. This applies to data transfer, which can be tapped easily, or to large files, for which unauthorized access is not easily prevented. Data security problems also arise in the application of the ever increasing number of credit cards in the sale of goods and at banks, for which the present invention represents a possible solution.

Claims (4)

l. Method for encrypting data blocks X of a predetermined length L ^(f) in operation of an encryption key in order to form encrypted blocks Y with the same length L ^(f) for the output, combined with concatenation during the encryption of input data blocks of length L ^(s) , the shorter is characterized as L ^(f) , in order to form short encrypted blocks Y ^(s) for the output with the same length L ^(s) , characterized in that the input of a short data block X _i of length L ^{(s) is} determined as a concatenation word V _{i of} the current encryption step the last available product

of the encryption process in full block length L ^{(f) is used,} without taking into account the length of the last encrypted block Y _i-1 , that said chaining word V _{i is} encrypted, and that a part L ^{(s) of} the entire encrypted chaining word W _i by a mathematically invertible function to said short data block X _i are combined and the combination as encrypted output _Y. of the short data block is used and that finally the combination of length L ^{(s) mentioned} is the newest component of the concatenation word to be used in the next encryption process

is used, regardless of how long the next data block X _{i + 1} to be encrypted is. 2. The method according to claim 1, characterized in that to form said combination, the encrypted chaining word W _i and the short data block X _i entered are supplied with an EXCLUSIVE-OR operation. 3. The method according to claim 1, characterized in that the cipher block Y _i just appearing in the output of n bytes in length with the previously published cipher text Y _{i-1 in} order to form a new concatenation word

is connected, the latter being required for the next encryption process, and that the said connection is effected by erasing the n oldest bytes in the chaining word V _i last used when inserting the cipher block Y _i . 4. The method according to claim 3, characterized in that a predetermined initial chaining word (ICV) is used at the start of the encryption operations.

Images